• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

REST security

 
Ranch Hand
Posts: 448
Eclipse IDE Firefox Browser Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am wondering as to how the security features are added to the REST based applications like anyone can invoke the URL for GET,POST,DELETE and PUT in order to invoke my RESTful webservice with spam data.

What are the common checks done by RESTful servers?

Any website that you know of which explains this in good manner will be helpful.
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For my REST services I require authentication on every request (using HTTP basic authentication). And of course, running under SSL.
 
Sunny Bhandari
Ranch Hand
Posts: 448
Eclipse IDE Firefox Browser Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Encryption and SSL is fine. I understand that the message can't be seen without decrypting it.

But how is authentication implemnted. I mean in typical web applications, we have a text field for user name and password but how do you manage that in REST webservice.

How can one invoke your webservice, I mean how does the User Interface looks like? Do they enter the URL directly inside the address bar of browser to invoke your web service or they have to enter URL in some text field on a web page designed by you..

Like I won't want that anybody can fire a GET request on my webservice by simply entering a URL in browser. How will I ask him for username and password?

Hope you got my question..
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sunny Bhandari wrote:But how is authentication implemnted. I mean in typical web applications, we have a text field for user name and password but how do you manage that in REST webservice.


I already mentioned that I employ HTTP Basic Authentication

How can one invoke your webservice, I mean how does the User Interface looks like? Do they enter the URL directly inside the address bar of browser to invoke your web service or they have to enter URL in some text field on a web page designed by you..


There is no UI. Clients are free to create requests into the web service any way that they want.

The browser is of no use as it can only issue GETs via the address bar.

Like I won't want that anybody can fire a GET request on my webservice by simply entering a URL in browser. How will I ask him for username and password?


See link above.
 
Sunny Bhandari
Ranch Hand
Posts: 448
Eclipse IDE Firefox Browser Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I am not clear here.

Ok, I will rephrase my question.

A username and password can be asked in a number of way even while using basic HTTP authentication, is it a webpage with username and password as text fields or what?

Is it the same as any other sign in page like this?

 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is no page. Once again: there is no page.

A web service doesn't have a UI. It just responds to requests sent into it -- regardless of how those requests are initiated.

The article I linked to describes how the username and password are passed, encoded in the (badly named) Authorization header of the request. For example:


It is the responsibility of the client to set this header appropriately. How the client gathers the username and password is entirely up to the client. If the client is a web app, it might prompt the user as per usual in web apps. if it's code, it might just get it from properties files. One of the clients using one of my services is an iPhone app. I have no idea how it gathers the username and password, and from the point of view of the REST web service, it doesn't matter!
 
Sunny Bhandari
Ranch Hand
Posts: 448
Eclipse IDE Firefox Browser Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I got it. Thanks for your time. Will try to implement one myself for more clarity.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic